From df792530cd97ab64a8f63b770e05df268a8d1016 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 28 Mar 2023 22:11:12 +0100
Subject: [PATCH] feat(profile): add kreadconfig5 & some network integration.

See: #134
---
 apparmor.d/groups/kde/kreadconfig        | 23 +++++++++++++++++++++++
 apparmor.d/groups/network/NetworkManager |  1 +
 apparmor.d/groups/network/openvpn        |  2 +-
 apparmor.d/profiles-a-f/firewalld        |  5 ++++-
 apparmor.d/profiles-s-z/sddm             |  1 +
 5 files changed, 30 insertions(+), 2 deletions(-)
 create mode 100644 apparmor.d/groups/kde/kreadconfig

diff --git a/apparmor.d/groups/kde/kreadconfig b/apparmor.d/groups/kde/kreadconfig
new file mode 100644
index 00000000..f3c43825
--- /dev/null
+++ b/apparmor.d/groups/kde/kreadconfig
@@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/kreadconfig5
+profile kreadconfig @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /usr/share/icu/{,**} r,
+
+  /etc/xdg/kdeglobals r,
+
+  owner @{user_config_dirs}/kdedefaults/kdeglobals r,
+  owner @{user_config_dirs}/kdeglobals r,
+
+  include if exists <local/kreadconfig>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager
index 83820a64..cb050865 100644
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@@ -92,6 +92,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/{,ba,da}sh rix,
   /{usr/,}bin/nft        rix,
 
+  /{usr/,}{s,}bin/netconfig                                     rPUx,
   /{usr/,}bin/dnsmasq                                            rPx,
   /{usr/,}bin/kmod                                               rPx,
   /{usr/,}bin/resolvconf                                         rPx,
diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn
index c0345acc..4e1b4ff7 100644
--- a/apparmor.d/groups/network/openvpn
+++ b/apparmor.d/groups/network/openvpn
@@ -64,7 +64,7 @@ profile openvpn @{exec_path} {
   @{run}/openvpn/*.{pid,status} rw,
   @{run}/NetworkManager/nm-openvpn-@{uuid} rw,
 
-  /{usr/,}bin/ip                                rix,
+  /{usr/,}{s,}bin/ip                            rix,
   /{usr/,}bin/systemd-ask-password              rPx,
   /{usr/,}lib/nm-openvpn-service-openvpn-helper rPx,
   /etc/openvpn/force-user-traffic-via-vpn.sh    rCx -> force-user-traffic-via-vpn,
diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld
index f5d68644..4b3d745c 100644
--- a/apparmor.d/profiles-a-f/firewalld
+++ b/apparmor.d/profiles-a-f/firewalld
@@ -24,11 +24,14 @@ profile firewalld @{exec_path} {
   @{exec_path} mr,
 
   /{usr/,}{s,}bin/ r,
+  /{usr/,}{s,}bin/ebtables-legacy       rix,
+  /{usr/,}{s,}bin/ebtables-legacy-restore rix,
+  /{usr/,}{s,}bin/ipset                 rix,
   /{usr/,}{s,}bin/kmod                  rPx,
   /{usr/,}{s,}bin/xtables-legacy-multi  rix,
   /{usr/,}{s,}bin/xtables-nft-multi     rix,
-  /{usr/,}bin/false                     rix,
   /{usr/,}bin/alts                      rix,
+  /{usr/,}bin/false                     rix,
 
   /usr/share/libalternatives/ r,
   /usr/share/libalternatives/ip{,4,6}tables*/{,*} r,
diff --git a/apparmor.d/profiles-s-z/sddm b/apparmor.d/profiles-s-z/sddm
index bdb9cd5c..63a7af3a 100644
--- a/apparmor.d/profiles-s-z/sddm
+++ b/apparmor.d/profiles-s-z/sddm
@@ -84,6 +84,7 @@ profile sddm @{exec_path} {
 
   # SDDM scripts
   # What to do with it? (#FIXME#)
+  /usr/etc/X11/xdm/Xsetup                 rPUx,
   /usr/share/sddm/scripts/Xsetup          rPUx,
   /usr/share/sddm/scripts/Xstop           rPUx,
   /usr/share/sddm/scripts/wayland-session rPUx,